Week 13 In Review – 2011

Week 13 In Review – 2011

Resources

Weaponizing doz.me: Improved HTML5 DDOS – spareclockcycles.org
Beyond making the backend code a little bit less of a disaster than it was originally, I have also made the attack itself significantly more effective.

Building A Better CA Infrastructure – freedom-to-tinker.comAs several Tor project authors, Ben Adida and many others have written, our certificate authority infrastructure has the flaw that any one CA, anywhere on the planet, can issue a certificate for any web site, anywhere else on the planet.

HAKING Magazine Issue 4/2011 – professionalsecuritytesters.org
In order to download the magazine you need to sign up to our newsletter. After clicking the “Download” button, you will be asked to provide your email address.

Enabling Browser Security In Web Applications – michael-coates.blogspot.com
These security properties enable the browser to impose additional security controls on items such as cookie handling, framing, and even the processing of JavaScript.

How To Learn The IT Skills Of A Security Professional – resources.infosecinstitute.com
There are two general routes to gaining this knowledge. For some, it works better if they just take some classes to get started. Others just Google what they want to learn and teach themselves.

IBM X-Force 2010 Trend Report Launched – blogs.iss.net
On Thursday we released our latest IBM X-Force 2010 Trend and Risk Report. As a part of this release we wanted to share a bit more insight into several areas that we think are fascinating.

CRC-32 forging – blog.stalkr.net
You may already know that the CRC-32 of any text can be forged if you can add 4 bytes anywhere in the text. See anarchriz’s paper on the subject.

NBNS Spoofing on your way to World Domination – packetstan.comWe discussed our paths of least resistance for internal tests, and I mentioned that my favorite are the attacks based on spoofing NetBIOS Name Service (NBNS) Responses.

Improving SSL Certificate Security – googleonlinesecurity.blogspot.com
Given the current interest it seems like a good time to talk about two projects in which Google is engaged.

Vulnerabilities

Attack on MySQL.com and further injections
This morning our friend Jackh4x0r decided to make public a vulnerability in MySQL.com.

Researchers point out holes in McAfee’s website – news.cnet.com
Researchers disclosed on a public security e-mail list today three vulnerabilities in the Web site of security firm McAfee, whose site has been found to have bugs several times before.

Other News

Comodo Aftermath and Hacker Reveal
The alleged hacker of Comodo stepped forward this weekend to explain how he generated bogus SSL certificates for login.skype.com, mail.google.com, login.live.com and other popular internet websites.

Hacking A Freemium iOS App – reverse.put.as
The iPad is a great product but it’s full of spyware and that sucks big time. One might argue that it’s not spyware, it’s just sending bits of information.

Microsoft Hunting Rustock Controllers – krebsonsecurity.com
Earlier this month, Microsoft crippled Rustock by convincing a court to let it seize dozens of Rustock control servers that were scattered among several U.S.-based hosting providers.

Android Malware Against Software Piracy – nakedsecurity.sophos.com
The success of the Android platform is obvious from the number of applications, now over 300000, now available from the Android Market.

Leave A Comment

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.